| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Jan 2013 19:31:56 +0000
From: some one <s3cret.squirell@...il.com>
To: Benji <me@...ji.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: BF, CSRF,
and IAA vulnerabilities in websecurity.com.ua
If you reread what i posted you will see that i do not give my opinion on
the quality of his posts. I will keep that to myself, I just state that its
better than dudes (and your) troll posts.
Regards
On Jan 1, 2013 3:04 PM, "Benji" <me@...ji.com> wrote:
> So you would say, that you find the things he posts "of interest"?
>
> Please expand on how and why anti automation bugs in unknown cms's are "of
> interest"?
>
>
> On Mon, Dec 31, 2012 at 11:58 PM, some one <s3cret.squirell@...il.com>wrote:
>
>> If you do not like or find of interest what the guy posts is it not
>> easier to just press delete or filter him out rather than try to make fun
>> of him?
>>
>> Give the dude a break man, hes submitting more things of interest than
>> you are and you just make yourself sound bitter and twisted.
>>
>> Its new year man, go out and drink a beer or eat some fireworks
>> On Dec 31, 2012 5:17 PM, "Julius Kivimäki" <julius.kivimaki@...il.com>
>> wrote:
>>
>>> Hello list!
>>>
>>> I want to warn you about multiple extremely severe vulnerabilities in
>>> websecurity.com.ua.
>>>
>>> These are Brute Force and Insufficient Anti-automation vulnerabilities
>>> in websecurity.com.ua. These vulnerability is very serious and could
>>> affect million of people.
>>>
>>> -------------------------
>>> Affected products:
>>> -------------------------
>>>
>>> Vulnerable are all versions of websecurity.com.ua.
>>>
>>> ----------
>>> Details:
>>> ----------
>>>
>>> Brute Force (WASC-11):
>>>
>>> In ftp server (websecurity.com.ua:21) there is no protection from Brute
>>> Force
>>> attacks.
>>>
>>> Cross-Site Request Forgery (WASC-09):
>>>
>>> Lack of captcha in login form (http://websecurity.com.ua:21/) can be
>>> used for
>>> different attacks - for CSRF-attack to login into account (remote login
>>> - to
>>> conduct attacks on vulnerabilities inside of account), for automated
>>> entering into account, for phishing and other automated attacks. Which
>>> you
>>> can read about in the article "Attacks on unprotected login forms"
>>> (
>>> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html
>>> ).
>>>
>>> Insufficient Anti-automation (WASC-21):
>>>
>>> In login form there is no protection against automated request, which
>>> allow
>>> to picking up logins in automated way by attacking on login function.
>>> ------------
>>> Timeline:
>>> ------------
>>>
>>> 2012.06.28 - announced at my site about websecurity.com.ua.
>>> 2012.06.28 - informed developers about the first part of vulnerabilities
>>> in
>>> websecurity.com.ua.
>>> 2012.06.30 - informed developers about the second part of
>>> vulnerabilities in
>>> websecurity.com.ua.
>>> 2012.07.26 - announced at my site about websecurity.com.ua.
>>> 2012.07.28 - informed developers about vulnerabilities in
>>> websecurity.com.ua
>>> and reminded about previous two letters I had sent to them with carrier
>>> pigeons.
>>> 2012.07.28-2012.10.31 - multiple attempts to contact the owners of
>>> websecurity.com.ua
>>> were ignored by the owners.
>>> 2012.11.02 - developers responded "fuck off and kill urself irl!".
>>> 2012.12.31 - disclosed on the list
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Security master extraordinaire, master sysadmin
>>> http://websecurity.com.ua
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists